India’s digital economy has grown faster than its legal infrastructure. In the last decade, companies across finance, healthcare, retail, telecommunications, and online services have quietly built business models around personal data. Data engineering forms the backbone of this digital transformation. It designs pipelines that collect, classify, store, clean, and process user information on a large scale. Yet the same systems that power targeted services also expose individuals to invisible profiling, commercial exploitation, and security vulnerability. The pressure to regulate these practices eventually produced the Digital Personal Data Protection Act, 2023, India’s first attempt to treat personal data as a matter of individual rights and corporate responsibility.

Unlike earlier IT-based rules that only addressed breaches or wrongful access, the DPDP Act reshapes the corporate ecosystem from the inside. Privacy can no longer be treated as an add-on compliance task. The law requires data protection to become a core governance duty. Corporate boards, senior executives, compliance officers, and data fiduciaries are now accountable not merely for breach prevention but for how data is collected in the first place, how long it is kept, how consent is obtained, and how automated systems handle it without human supervision.

This shift has significant implications for how corporations build their technology. The law is written in legal language, but its outcomes depend on engineering choices, what data a system is allowed to request, how its fields are structured, whether it logs user consent, when it deletes records, and whether access controls are built into the architecture rather than patched later. In other words, the DPDP Act forces a merger between corporate governance frameworks and the technical logics of data systems.

This emerging relationship raises crucial questions: Can boards supervise systems they do not understand? Can engineers design lawful pipelines without knowing the company’s fiduciary obligations? And what kind of internal mechanisms are needed to balance legal duties and technical realities? These questions show that compliance is no longer the responsibility of a single department. It requires a coordinated approach that combines governance principles with privacy-aware engineering. This study explores this intersection, arguing that the future of corporate accountability in India’s data economy will be determined not only by how companies interpret the law but by how they design their systems to obey it.

India’s digital markets have grown around the strategic use of personal data, but scholarship on this expansion has developed along separate disciplinary trajectories. Legal studies have primarily examined data protection through statutory interpretation, constitutional privacy rights, or compliance mandates [1]. Meanwhile, technical disciplines have focused on designing secure data systems, consent management tools, and algorithmic controls. Corporate governance scholarship, on the other hand, has discussed accountability mechanisms for boards and senior decision-makers but has seldom engaged with the technical realities of data handling inside organisations [2]. These fragmented approaches reveal how research often treats governance, regulation, and engineering as parallel domains rather than intersecting components of a unified data protection framework.

Within legal literature, the Digital Personal Data Protection Act, 2023 (DPDP Act), is frequently characterized as a normative shift from industry-driven cybersecurity rules toward a rights-based regime that places statutory duties on corporate data fiduciaries [3]. However, much of this writing focuses on compliance obligations, exemptions, and enforcement powers without showing how such requirements must be implemented at the architectural level within digital systems [4] Likewise, discussions on corporate governance emphasize fiduciary duty, risk oversight, and board accountability, yet often remain at a policy level, detached from the technical procedures through which personal data is collected, stored, shared, or erased [5].

Technical literature on privacy engineering provides the opposite emphasis. It details how modern data pipelines can incorporate privacy-by-design principles through minimization defaults, access control logic, encryption layers, consent-tracking systems, and automated deletion mechanisms [6]. These studies clarify how compliance can be engineered, but they rarely address who within a corporation bears responsibility for ensuring such systems operate lawfully, nor how governance structures must supervise engineering decisions. As a result, engineers are treated as implementers rather than participants in corporate accountability frameworks.

The absence of convergence across these bodies of scholarship highlights a significant research gap: data protection cannot be understood solely as a legal mandate, a board-level policy, or a technical exercise. Under the DPDP Act’s fiduciary orientation, compliance becomes a shared responsibility that binds boards, compliance officers, system architects, and data engineers. Corporate governance cannot ensure lawful processing unless data systems embody legal principles, and data engineers cannot design compliant pipelines without decisions that originate from governance structures. It is this interdisciplinary interdependence that remains insufficiently theorized in existing literature.

By examining corporate accountability and data engineering as a single compliance ecosystem, this study seeks to provide a framework that bridges governance duties and technical mechanisms. Under the DPDP Act, accountability is no longer limited to documenting privacy policies, nor can it be reduced to security protocols embedded in code. Instead, the law transforms privacy into a governance-driven architectural requirement. Understanding this shift is crucial for evaluating how corporations in India must reconfigure both their decision-making structures and data systems to process personal information in a lawful, transparent, and ethical manner.

India’s Digital Personal Data Protection Act, 2023 ("DPDP Act"), marks a profound departure from the country’s earlier techno-administrative approach to privacy regulation. Rather than restricting itself to breach reporting or security compliance, the statute formulates privacy as an institutional duty that corporations must embed into their managerial decisions and data engineering design. The Act’s legal mandates require companies to treat personal data not as a commercial asset, but as information held in trust, subject to fiduciary responsibility and governance oversight. This transformation raises a central implication: law has moved inside the technical architecture, obligating corporate boards and engineers to co-produce compliance through systems that can demonstrate lawful processing.

Statutory Foundations of Corporate Responsibility under the DPDP Act

The DPDP Act defines entities that collect or process personal data as data fiduciaries, a phrase that intentionally borrows from fiduciary doctrine to signal a duty-bound relationship between corporations and individuals whose data they handle [7]. A fiduciary is obligated to act in the best interest of the data principal, an extension of the Supreme Court’s recognition of privacy as an intrinsic constitutional right [8]. This creates a legal environment where consent, purpose limitation, minimal data processing, security safeguards, retention limitations, and grievance redressal are not merely operational steps but statutory responsibilities.

Under Section 7, personal data may be processed only for a specific, lawful, and consent-based purpose, limiting the freedom of corporations to collect surplus data simply because it may later become commercially useful [9]. Section 8 further reinforces this shift by requiring data fiduciaries to maintain accuracy, ensure security safeguards, and implement reasonable data retention controls [10]. These provisions bind corporate actors to justify every stage of data processing, not only to end-users but also to regulatory authorities empowered to impose penalties for non-compliance.

Importantly, Section 10 imposes heightened obligations on Significant Data Fiduciaries, corporations whose scale or potential risk requires the appointment of a Data Protection Officer (DPO), independent audits, and periodical assessments [11]. These duties extend board accountability beyond policy formulation to actual supervision of engineering decisions that can affect compliance. A board resolution or privacy policy cannot satisfy statutory obligations unless it manifests in system behavior, meaning the law now evaluates what systems do, not merely what policies say.

Engineering Obligations Embedded in the Act

Although the DPDP Act is drafted in legal language rather than technical terminology, its requirements can only be implemented through engineering. Consent cannot be “free, specific, informed, and unambiguous” unless systems record it in machine-readable logs [12]; data minimization cannot occur unless data schemas restrict information fields; secure processing cannot exist without encryption protocols and access controls; retention cannot be limited without automated deletion workflows. The Act, therefore, embeds implicit technical mandates.

Privacy by design, formerly a discretionary ethical guideline, becomes a statutory necessity [13]. Scholars have shown that modern privacy compliance must be materially encoded into data architectures that minimize defaults, enforce role-based access, and generate auditable logs [14]. In an Indian context, this means engineers must structure pipelines to proactively prevent legal violations, rather than merely guard against breaches. A failure in logging consent could constitute non-compliance even if no data leak occurs. Similarly, a system that retains data beyond the lawful purpose, due to a lack of deletion automation, violates the Act independent of corporate intent.

The DPDP Act thus establishes a legal expectation that data systems themselves must “perform legality.” That performance cannot be evaluated solely by technologists; it is a compliance manifestation that regulators can assess through audits, breach inquiries, or penalties. It redefines software not only as a product or tool but also as evidence of a corporation’s legal behavior.

Fiduciary Accountability and Governance Controls

The movement from compliance documentation toward system accountability elevates the role of corporate governance. Boards can no longer treat data protection as an IT expense or an outsourced compliance report. Instead, they must supervise how data infrastructures embody legal duties [15]. Fiduciary responsibility now includes understanding whether organizational architecture respects consent, whether product design collects only necessary information, whether encryption standards reflect risk, and whether retention schedules are enforced by default rather than at managerial discretion.

The appointment of a Data Protection Officer for Significant Data Fiduciaries adds a governance intermediary between law and engineering [16]. However, the DPO’s ability to perform this role depends on collaboration with technical teams. A DPO who only reads legal texts but cannot interpret system logs cannot discharge statutory duties; likewise, engineers who design systems without knowledge of fiduciary obligations may unknowingly create unlawful architectures. The law, therefore, demands interdisciplinary governance capability: decisions about code now constitute decisions about compliance.

Doctrinal Interpretation: Privacy as an Architectural Mandate

Interpreted doctrinally, the DPDP Act translates privacy from a constitutional value into an architectural obligation. The state no longer relies on corporations to police themselves after violations but demands that systems prevent misuse by default. The legal shift mirrors a governance transformation: corporations must prove they are trustworthy not only by adopting policies but also by building technologies that cannot easily violate the law.

This doctrinal reading suggests a future regulatory model where technical proof becomes legal proof, and system design becomes a form of governance action. Corporations that ignore this convergence risk non-compliance not because they lack ethical principles, but because they lack compliant architecture. The DPDP Act thus marks a structural realignment in India’s data economy, where privacy is not merely protected by law but built into the system as law itself.

The DPDP Act imposes corporate obligations that cannot be complied with through traditional governance practices alone. Statutory duties such as consent tracking, breach notification, purpose limitation, and lawful retention demand implementation in code, workflows, and system architecture. As a result, compliance no longer fits neatly under legal, audit, or IT departments; instead, it requires a convergent framework where managerial authority and engineering controls work as a single compliance unit. This alignment forms the foundation of a governance engineering framework, where legal mandates must directly shape system behavior and technical decisions must be informed by fiduciary norms.

Redefining Accountability through System Behavior

The DPDP Act assigns accountability to the Data Fiduciary, a designation borne not by a machine but by a human–institutional actor who authorizes and oversees system functionality [17]. Yet the consequences of a fiduciary decision manifest in software logic: consent recordings, logging frequency, encryption choices, and retention defaults. If these systems fail to comply, the liability lies with corporate governance, not with individual engineers or outsourced vendors. This creates a legal reality where an unlawful database schema can constitute a breach of fiduciary duty, even without a security leak.

Traditional compliance assumed that managerial declarations, policies, and documentation could demonstrate good faith. Under contemporary data regulation, evidence arises from code, logs, encryption keys, and deletion triggers [18]. Accountability thus becomes performative; the law evaluates what systems do, not what managers claim. Corporate governance, therefore, must possess the capacity to interrogate system behavior, not merely approve policy statements.

Translating Legal Mandates into Engineering Controls

The governance engineering framework posits that statutory duties must be treated as design requirements. The objective is not only to interpret the DPDP Act but also to make it executable within the architecture of data systems. Each statutory principle transforms into a corresponding technical obligation.

Table 1: Translating Legal Mandates into Engineering Controls.

None of these requirements can be achieved solely by instructing employees or drafting policies. They demand explicit architectural planning and technical implementation. The DPDP Act effectively mandates that compliance must be engineered, not merely announced.

Interdisciplinary Compliance Roles: The New Corporate Ecosystem

Implementing governance engineering requires corporations to reconfigure internal responsibility structures. Data engineers cannot remain implementers, detached from legal context, and governance actors cannot remain policy custodians who merely approve documents. The DPDP Act elevates internal collaboration to a legal necessity.

• Boards and senior management must oversee data-driven risk, understanding not only privacy principles but also their engineering consequences [25].
• Data Protection Officers (DPOs) provide interpretive authority but must acquire literacy in system architecture to evaluate compliance [26].
• Data engineers and system architects must treat legal mandates as technical specifications rather than business requirements [27].

This restructuring reflects a shift from departmental silos to coordinated accountability. Compliance becomes a shared act, where law and code co-produce legitimacy. A breakup of departmental isolation is not an organizational preference but a statutory necessity.

Governance Engineering as a Preventive Regulatory Model

Unlike reactive regulatory regimes that intervene after a breach, the governance engineering approach constructs compliance as prevention. Architecture becomes a form of anticipatory regulation, where systems are designed to avoid illegal processing without additional managerial directives. Scholars describe this transformation as a transition from “policy governance” to “embedded governance,” where technical infrastructures enforce legal norms by default [28].

In this model, corporate legitimacy is measured through the opacity or clarity of system design:

A company that cannot explain what its systems collect or how long they store data cannot claim lawful processing, regardless of its privacy policy. Conversely, a corporation that automates retention limits and enforces data minimization through schema controls can demonstrate compliance without litigation or audit pressure. Architecture thus becomes self-validating evidence of accountability. Data systems do not merely support corporate governance; they enact it.

By mandating that corporate duties be implemented in system behaviour, the DPDP Act pushes Indian corporations into a new legal era where technology operationalizes law. This doctrinal shift forces companies to treat privacy not as an afterthought to digital innovation but as a built-in regulatory infrastructure. Governance engineering does not soften corporate regulation; it sharpens it. It ensures that lawful processing is not dependent on human promises but on designs that cannot easily break the law.

Despite the DPDP Act’s doctrinal clarity and its aspiration to embed privacy within corporate architecture, Indian corporations face significant structural, technical, and organisational challenges in implementing compliance at scale. Many of these hurdle’s stem from legacy systems, fragmented data ecosystems, cost-sensitive business models, and inconsistent privacy literacy among governance actors and engineers. As a result, compliance is not simply a legal transformation but a systemic reconstruction of how companies design and monetise data. This section maps the primary barriers that corporations face and identifies risk clusters that will shape compliance in the Indian market.

Legacy Infrastructure and Fragmented Data Pipelines

A substantial share of Indian enterprises, especially in fintech, healthcare, telecommunications, and retail, operate on legacy systems where data collection practices evolved without regulatory scrutiny [29]. These systems rarely include structured consent logs, storage segmentation, or automated deletion controls, and often mix personal and non-personal data in the same tables or servers. Retrofitting compliance into infrastructures never designed for minimization or retention control requires expensive redesign, migration costs, and potential downtime.

More critically, Indian corporations depend heavily on third-party service providers for analytics, cloud storage, and advertising technologies [30]. These vendors often receive personal data through opaque contracts and informal channels, making it difficult to track lawful purpose or impose retention limits. The DPDP Act’s requirement that Data Fiduciaries control how processors handle personal data cannot be implemented without technical restructuring of vendor integrations, which many corporations currently lack the capacity to manage.

Cost-Driven Resistance and Absence of Privacy Literacy

Unlike multinational firms accustomed to GDPR-driven compliance, many Indian enterprises still view privacy as a cost center rather than a business risk [31]. The appointment of a DPO, mandatory audits for Significant Data Fiduciaries, architectural redesign, and investment in consent-management tools are perceived as regulatory burdens rather than fiduciary responsibilities [32]. In start-ups and MSMEs, governance structures often lack board committees dedicated to data oversight, resulting in ad-hoc compliance decisions delegated to IT personnel with no legal training.

Even within large corporations, engineers who design data infrastructure frequently possess limited awareness of statutory duties or fiduciary implications [33]. Conversely, governance actors, boards, compliance officers, legal teams- often lack literacy in systems architecture and cannot evaluate whether a database design satisfies retention mandates or schema restrictions [34]. This mutual opacity produces a compliance gap where neither side can perform lawful processing without collaboration mechanisms that most corporations currently lack.

Consent Management Complexities and User Interface Barriers

The DPDP Act’s requirement of free, specific, informed, and unambiguous consent is not merely linguistic; it demands interface-level engineering [35]. Yet Indian digital platforms routinely employ “bundled consent,” dark patterns, compulsory phone-number log-ins, and manipulative nudges that force users to accept unnecessary data collection [36]. Correcting such practices requires redesigning user experience flows, redesigning mobile app permissions, and implementing layered notices capable of differentiating core functionality from value-added services.

Additionally, consent revocation must not only be accessible, but it must also trigger technical workflows that stop processing in real time and initiate deletion or restriction protocols [37]. Social media and e-commerce systems, which depend on data aggregation, face immediate operational risks if revocation is automated without contingency planning. Consent management thus becomes a high-stakes engineering task, not a compliance checkbox.

Vendor and Cross-Border Risk Exposure

Corporate data ecosystems increasingly depend on cloud hosting, analytics outsourcing, and machine-learning agencies. The DPDP Act makes Data Fiduciaries accountable for how vendors process personal data, even when vendors operate independently or offshore [38]. Cross-border transfer restrictions, combined with liability for foreign processors, create compliance vulnerabilities in contracts, encryption, logging, and IP-controlled architectures. Risk exposure grows where companies use machine-learning models trained on unsegregated historical data [39]. If past training sets contain unlawfully collected, surplus, or purposeless data, corporations could face ongoing violations even when systems perform accurately. This complication turns AI development into a compliance minefield, where historic datasets may become unlawful assets requiring partial deletion or retraining, expenses that many corporations are unprepared to absorb.

Risk Mapping for the Indian Compliance Landscape

Table 2: The Compliance Landscape under the Dpdp Act Can Be Categorised into Three Interconnected Risk Vectors.

These risk vectors demonstrate that DPDP compliance is neither purely legal nor purely technical. Risk emerges at the intersection of architecture, governance, and data supply chains.

Doctrinal Implication: Compliance as Market Restructuring

The DPDP Act does not merely punish wrongful data processing; it transforms market logic. Compliance demands that business models, particularly those built on surplus data capture, transition toward purpose-bound processing. Indian corporations must therefore confront not only technical redesign but also the commercial implications of restricted data monetization. The greatest compliance challenge is not breach prevention, but rethinking profit models that depend on unregulated data extraction.

The emergence of India’s Digital Personal Data Protection Act, 2023, has invited inevitable comparisons with the European Union’s General Data Protection Regulation (GDPR), often treated as the global benchmark for rights-based data governance. While both statutes recognise personal data as an interest that demands protection through consent, security safeguards, and organizational accountability, they achieve compliance through different structural pathways. These differences are not merely textual; they reformulate how corporations design systems, assign accountability, and monetize personal data. A comparative analysis reveals that while GDPR conceptualizes compliance as a human-monitored managerial duty, the DPDP Act evolves toward a system-driven fiduciary model, where lawful processing must be demonstrable within the architecture itself.

Contrasting Philosophical Foundations: Fundamental Right vs. Duty-Bound Data Fiduciary

GDPR is premised on autonomy-driven rights protection, rooted in the European Charter of Fundamental Rights [40]. It frames personal data as an extension of human dignity, emphasizing control, individual choice, and protective entitlements. In contrast, the DPDP Act is shaped by a fiduciary conception of corporate duty, treating data handlers as trustees who must act in the best interest of the data principal [41]. Rather than positioning users as autonomous negotiators, Indian law presumes a power imbalance and imposes obligations on the data fiduciary regardless of user sophistication.

This philosophical divergence alters compliance pathways. GDPR encourages user empowerment through rights such as portability, objection, access, and erasure [42]. The DPDP Act, while providing similar rights, places greater emphasis on obligating corporate conduct through purpose limitation, consent logging, and retention control, effectively embedding constraints into the organisational system rather than relying primarily on user action for accountability.

Design Accountability: Self-Executed Systems vs. Documentation-Driven Proof

Under GDPR, corporations are expected to document risks, assess harm through Data Protection Impact Assessments (DPIAs), and demonstrate compliance through paper trails, audits, and legal justification [43]. The legal burden rests on records that explain why and how systems process data. Although GDPR encourages privacy by design, the emphasis remains on rationalized decision-making and documentation.

The DPDP Act, by contrast, centers compliance on architectural performance rather than documentation. Consent is not proven through contract forms or written notices alone; it must persist as auditable logs, structured databases, system-level tags, and retention triggers capable of automated execution [44]. Privacy, then, is not merely declared; it must function in code. The DPDP model incentivizes preventive compliance: systems must be designed in such a way that they naturally minimize data and erase it when it is no longer lawful to store [45].

This creates a legal standard where the demonstration of compliance arises from system behaviour itself, making architecture a primary source of legal evidence rather than supplementary support.

Regulatory Mechanisms and Corporate Risk Allocation

GDPR assigns steep penalties for violations, up to 4% of global turnover [46], signalling strong regulatory enforcement. Yet its compliance model allows corporations to justify intrusive practices if they secure legal grounds through legitimate interest or user consent, provided there is sufficient documentation [47]. This flexibility has arguably allowed European businesses to innovate while retaining broad interpretive discretion.

The DPDP Act restricts corporate interpretive freedom more firmly by narrowing lawful grounds for processing and requiring demonstrable, specific consent for most personal data [48]. While fines under the DPDP Act may be comparatively lower in global terms, the statute expands liability by binding organizations not only to their decisions but also to the actions of processors, vendors, and outsourced infrastructure [49]. This extended vicarious responsibility increases systemic risk within supply chains, particularly where machine-learning vendors, cross-border cloud hosts, and advertising technologies are involved.

In effect, GDPR governs through penalties, while the DPDP Act governs through restrictive design mandates and control obligations. The latter reflects India’s policy choice to prevent violations through architecture instead of adjudicating them after harm.

Market Impact: Monetization Models under Scrutiny

European markets have adapted to GDPR by evolving consent pop-ups, cookie banners, risk assessments, and contractual safeguards. Critics argue that GDPR enforcement has struggled against surveillance capitalism because many platforms use consent fatigue and dark patterns to secure data access [50]. Indian law anticipates this shortcoming by limiting bundled consent and demanding granular justification for each processing purpose [51]. GDPR permits broad profiling under legitimate interest, provided risks are balanced [52]. The DPDP Act, however, will significantly curtail profiling-driven business models in Indian e-commerce, fintech, and advertising ecosystems [53]. The Indian regime thus threatens not only noncompliant practices but also profit mechanisms dependent on unrestricted capture, retention, and inference extraction.

GDPR tolerates commercial exploitation provided protective reasoning is documented. The DPDP Act structurally inhibits such exploitation by requiring proof-in-architecture.

Table 3: Comparative Outcome: Architectural Regulation vs. Interpretive Regulation.

Doctrinal Significance

India’s DPDP Act does not imitate GDPR; it evolves beyond it by treating privacy as a governance architecture rather than a governance choice. The GDPR trusts corporations to make responsible decisions and explain them. The DPDP Act distrusts discretionary reasoning and demands system-showable loyalty to the data principle. This trajectory suggests that Indian data regulation is not merely rights-driven; it is structurally interventionist, creating a model where technology becomes law and architecture becomes accountability.

The compliance burdens of the DPDP Act do not affect all industries equally. While the statute provides a uniform governance obligation across sectors, the risk exposure, engineering requirements, and data-handling vulnerabilities diverge sharply in finance, e-commerce, and healthcare, three domains that rely heavily on high-volume personal data processing. Examining these sectors reveals how the DPDP Act transforms not only legal compliance but also product design, data monetization, and operational workflows in Indian corporations.

Finance Sector: Consent-Bound Processing and Risk-Weighted Architecture

India’s regulated financial ecosystem, banking, insurance, NBFCs, and payment intermediaries already operate under high compliance pressure driven by RBI and SEBI norms [54]. Yet existing regulations primarily govern breach reporting, KYC integrity, and cybersecurity. The DPDP Act adds a new dimension: purpose-bounded consent and retention control. Financial institutions must now ensure that KYC data, transaction information, and credit histories are retained only for lawful business purposes, and not “just in case” they may later help profile consumer risk.

Before the Act, many lenders and fintech firms aggregated user behavioural data, including app usage and geo-location, to generate credit scores [55]. Under the DPDP Act’s narrow consent mandates, such profiling cannot occur without explicit, separate consent and demonstrable necessity [56]. As a result, risk algorithms become compliance assets, and unlawful training data may have to be deleted or re-engineered.

Table 4: Consent-Bound Processing and Risk-Weighted Architecture.

Financial compliance thus becomes mathematically traceable: audit officers must prove how each data point influenced a risk decision. The DPDP Act turns algorithmic opacity into legal liability.

E-Commerce Sector: Data Minimization and Anti-Profiling Architecture

Indian e-commerce platforms historically built business value on extensive behavioural capture, browsing trails, search history, abandoned cart data, eye-tracking through automated cookies, and forced mobile number log-ins [57]. These data flows drove targeted advertising, dynamic pricing, and push-notification marketing. The DPDP Act directly challenges these practices by restricting surplus collection and banning bundled consent for services not essential to platform use [58].

Dark patterns such as “pay using phone number to continue” or “log-in to see prices” violate lawful consent under Section 6 [59]. Platforms must now separate functional data collection (necessary for delivery or payment) from value-added targeting services. This requires extensive UI redesign and database restructuring:

• Catalog systems must display prices without requiring login.
• Ad systems must use segregated consent logs.
• Recommendation engines must trigger only after explicit consent.

E-commerce systems historically rewarded “maximal data”; the DPDP Act rewards “minimal architecture.” Monetization shifts from extractive personalization to law-bound personalization, where user choice defines commercial strategy.

Healthcare Sector: Sensitive Data and Ethical Retention Models

Healthcare institutions process deeply sensitive data—diagnostic history, prescriptions, biometrics, reproductive information, where misuse produces not just commercial risk but irreversible dignity harm. Indian law recognizes heightened sensitivity but, unlike GDPR, does not categorically define sensitive data [60]. Instead, the DPDP Act imposes fiduciary obligations irrespective of sensitivity, placing hospitals, labs, and health-tech apps under strict consent, retention, and emergency-use constraints [61].

Hospitals traditionally retain patient records indefinitely due to medico-legal risk [62]. Under the DPDP Act, indefinite retention without lawful purpose becomes a violation. Patient history retention must now follow law + medical necessity + explicit consent. Telemedicine platforms, diagnostic apps, and wearable health technology must create:

• consent logs tied to treatment episodes,
• encrypted storage segregating diagnostic data from identity data,
• time-bound retention protocols, and
• patient control dashboards enabling revocation [63]

Furthermore, healthcare AI models trained on aggregated patient data face new scrutiny: unlawful retention or lack of consent during dataset creation can invalidate subsequent model use [64]. These positions hospitals not just as custodians of data but as stewards of ethical machine learning.

Table 5: Cross-Sectoral Insights: Architecture as Compliance Evidence.

Across all sectors, compliance must be demonstrated through systems, not declarations. Architecture becomes not merely reflective of legal norms but constitutive of them. A company’s database becomes its testimony; logs become legal narratives; and code becomes corporate accountability.

Doctrinal Significance

Sectoral challenges show that the DPDP Act is neither a copy of GDPR nor an IT security statute. It regulates business models, not merely data practices. Compliance is not reactive litigation avoidance but proactive technological governance. By reshaping sectoral infrastructures, financial scoring systems, e-commerce marketing architectures, and health data ecosystems, the DPDP Act realigns the Indian digital economy toward purpose-bound, consent-anchored, ethically engineered data ecosystems.

India’s Digital Personal Data Protection Act, 2023 initiates a structural shift in corporate accountability, not by expanding surveillance of companies, but by compelling them to redesign the very systems that enable digital business. Unlike traditional regulatory regimes that police misconduct after harm, the DPDP Act builds compliance into the architecture of data handling itself. It requires organizations to behave lawfully through their systems, not merely through their policies. In this sense, India’s data protection evolution is both a market reform and a technological governance transformation, with deeper implications for digital capitalism, corporate responsibility, and the legitimacy of artificial intelligence.

Re-Engineering the Digital Marketplace

The Act dismantles the long-standing business incentive to maximize data collection for speculative monetization. The law now limits what companies can collect and how long they can retain it, even if users are willing to share it [65]. This creates a new competitive currency: consumer trust backed by architectural restraint. E-commerce platforms that previously relied on opaque behavioural profiling must now justify each data point with specific consent [66]. Fintech businesses must redesign their scoring models to rely only on necessary and consented data streams [67]. Health technology companies must purge indefinite storage systems and secure diagnostic histories through time-bound retention [68]. Compliance thus becomes a commercial differentiator, and unlawful data becomes a liability rather than an asset.

Architecture as Corporate Governance

The DPDP Act also marks a jurisprudential departure from policy-driven governance toward systems-driven accountability. The ability of boards and senior management to demonstrate compliance now depends on whether they can show how system logs recorded consent, how retention controls deleted personal data, and how access architectures enforce minimization [69]. Corporations can no longer outsource responsibility to vendors or rely on disclaimers [70]. Fiduciary accountability stretches across entire data ecosystems, covering cloud processors, analytics intermediaries, cross-border storage, and AI training pipelines [71].

Boards and engineers must therefore collaborate as co-governors. Compliance officers must learn to read logs, evaluate code, and question the engineering of risk. Engineers must design with legal constraints as architectural requirements, not operational inconveniences. Governance becomes interdisciplinary not because efficiency demands it, but because the law now evaluates system behaviour as evidence of corporate intent.

Human Rights, AI, and the Coming Decade of Predictive Regulation

The DPDP Act’s implications extend into the future of artificial intelligence and predictive analytics. AI models trained on unlawfully collected data may themselves become unlawful corporate assets, risking deletion, retraining, and liability for ongoing inferences [72]. Non-consensual behavioural profiling, historically the backbone of targeted advertising, fintech risk evaluation, and healthcare machine learning, will increasingly fall under fiduciary scrutiny. As India moves toward data-sharing ecosystems under the Digital Public Infrastructure framework [73], the responsibility of corporations shifts from securing data to designing ethics into inference systems.

DPDP is not merely a privacy law; it is India’s first step toward predictive regulation, where legal compliance anticipates harms through architecture. Future amendments may address AI explainability, algorithmic discrimination, and auditable inference trails, solidifying system transparency as a legal expectation.

The Future: Trust as a Technological Asset

The DPDP Act ultimately reframes corporate legitimacy: trust is no longer won through marketing, promises, or after-the-fact penalties, but through observable technological restraint. Compliance becomes verifiable, not asserted. Logs become documentary proof of accountability. Code becomes a proxy for governance ethics. In this paradigm, corporations that engineer privacy into their architecture will be rewarded with consumer trust, operational predictability, and regulatory certainty.

Indian data regulation, therefore, moves toward a hybrid model in which law governs through architecture, markets reward lawful systems, and technology embodies fiduciary duty. Privacy, in this future, will not merely be protected by law; it will be produced by design.

1. Singh S. Studying the Intricacies of Privacy and Data Protection in India – A Critical Analysis of the Indian Laws. 2025; 118.
2. Bi B. International Corporate Governance in the Digital Age: Legal Challenges of Privacy Protection and Data Governance. 2024.
3. The Digital Personal Data Protection Act, 2023 (No. 22 of 2023). 2023; 1-21.
4. Greenleaf G. India’s 2023 Data Privacy Act: Business/government Friendly, Consumer Hostile. 2023.
5. Kumar R, Rastogi M, Sharma S. Cybersecurity Risks and Corporate Accountability in India: Director Responsibility, Legal Reforms, and the Role of Regulatory Bodies in Data Protection. Int J Adv Res. 2025; 13: 608-611.
6. Del-Real C, Busser ED, van den Berg B. A systematic literature review of security and privacy by design principles, norms, and strategies for digital technologies. 2025; 39: 374-405.
7. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 2(j) (India).
8. S. Puttaswamy v. Union of India. (2017) 10 SCC 1 (India).
9. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 7 (India).
10. Sec 8.
11. Sec 10.
12. Sec 7(1)(a).
13. Gurshabad Grover & Kritika Bhardwaj, Privacy by Design in Indian Data Regulation, 8 NLSIR. 2022; 101: 110-113.
14. Cavoukian A. Privacy by Design: The 7 Foundational Principles. 2011.
15. Uppaluri U. India’s Data Protection Law: A Market-Oriented Rights Regime, 12 Indian L Rev. 2024; 45: 61–64.
16. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 10(2) (India).
17. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 2(j) (India).
18. Zuboff S. The Age of Surveillance Capitalism. 2019; 101-105.
19. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 6(1) (India).
20. Sec 7.
21. Sec7(2).
22. Sec 8(7).
23. Sec 8(5).
24. Sec 12–14.
25. Uppaluri U. India’s Data Protection Law: A Market-Oriented Rights Regime, 12 Indian L. Rev. 2024; 45: 64-67.
26. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 10(2) (India).
27. Doctrinal Significance of the Governance Engineering Framework.
28. Cavoukian A. Privacy by Design: The 7 Foundational Principles. 2011; 10-12.
29. Sinha A. The Networked Public: How Social Media and Mobile Communication Are Changing Governance. 2022; 56-60.
30. Legal and Cyber Innovations Reports, Data Protection Outsourcing Trends in India 2023; 11-14.
31. Zuboff S. The Age of Surveillance Capitalism. Profile Books. 2019; 204-210.
32. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 10 (India).
33. Uppaluri U. India’s Data Protection Law: A Market-Oriented Rights Regime, 12. Indian L Rev. 2024; 45: 75.
34. Mohammed Hamid, Corporate Compliance in India’s Tech Markets, 19. J Corp Governance Stud. 2023; 81: 93-96.
35. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 6 (India).
36. Mozilla Foundation. Consent Dark Patterns in India’s App Ecosystems. 2023; 15-19.
37. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 12 (India).
38. Sec 16.
39. Grover G, Bhardwaj K, Kapoor R. Regulating AI and Data Protection in India, 11. J Law & Tech. 2023; 51-54: 42.
40. Charter of Fundamental Rights of the European Union Art. 8, 2012 O.J. (C 326) 391.
41. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 2(j) (India).
42. Regulation (Eu) 2016/679 of the European Parliament and of the Council. 2016.
43. Art. 35.
44. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 6–8 (India).
45. Grover G, Bhardwaj K. Privacy by Design in Indian Data Regulation, 8 NLSIR. 2022; 101: 114-115.
46. Regulation (EU) 2016/679, Art. 83.
47. Arts. 6, 7(4).
48. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 7 (India).
49. Sec 16(2).
50. Zuboff S. The Age of Surveillance Capitalism. 2019; 242-244.
51. Mozilla Foundation, Consent Dark Patterns in India’s App Ecosystems. 2023; 16-18.
52. Regulation (EU) 2016/679, Art. 6(1) (f).
53. India Internet Policy Reports, Profiling and Data Monopolies in Indian Digital Markets. 2024; 49-52.
54. Reserve Bank of India, Master Direction on Information Technology Framework for NBFCs § 3. 2017.
55. India Fintech Council Report, Behavioral Scoring in Digital Lending. 2023; 41-47.
56. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 7 (India).
57. Mozilla Foundation, Consent Dark Patterns in India’s App Ecosystems. 2023; 14-22.
58. at 19.
59. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 6 (India).
60. Comparative: Regulation (EU) 2016/679, Art. 9.
61. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 7–8 (India).
62. P. Medical Council v. State of M.P., 4 MPLJ 597 (India). 2018.
63. Telemedicine Practice Guidelines. Ministry of Health & Family Welfare. 2020; 23-27.
64. Grover G, et al. Regulating AI and Data Protection in India, 11. J Law & Tech. 2023; 42: 55-57.
65. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 7 (India).
66. Mozilla Foundation, Consent Dark Patterns in India’s App Ecosystems. 2023; 17-20.
67. India Fintech Council Report, Behavioral Scoring in Digital Lending. 2023; 52-55.
68. Telemedicine Practice Guidelines, Ministry of Health & Family Welfare. 2020; 23-27.
69. The Digital Personal Data Protection Act, No. 22 of 2023, Sec 6–8 (India).
70. Sec 16(2).
71. Sec 9–11.
72. Grover G, et al. Regulating AI and Data Protection in India, 11. J Law & Tech. 2023; 42: 55-57.
73. Ministry of Electronics and Information Technology, India Stack and Digital Public Infrastructure Framework. 2024; 13-18.